Why self-service kiosks are a target for cyber attacks

Today, customers are demanding immediacy, personalisation and seamless services from their providers and our desire for instant gratification means that those servicing the public need to provide easy, fast, smooth and continuous ways to meet customer expectations.
This is where interactive kiosks can really help organisations to deliver a high level of service in an easy to use, automated way. In recent years, kiosks have fast gained popularity, not only because they enhance customer satisfaction, as they operate in self-service mode, but they also provide crucial information or services to customers as and when they need it.

Think about how you utilise such services, at a railway station to buy tickets, in a fast food outlet to order food or in other ways as you go about your daily business. Today, kiosks are typically placed in high foot-traffic environments such as retail stores, hospitals, banks, hotels, airports, courthouses, libraries, railway stations – you name it – providing customer access to information, products, websites, tools, or applications. For those less familiar, an interactive kiosk is a computer terminal featuring specialised hardware and software that provides access to information and applications for communication, commerce, entertainment, or education.

Integration of technology allows kiosks to perform a wide range of functions, for example, kiosks may enable users to order from a shop’s catalogue when items are not in stock, check out a library book, look up information about products, issue a hotel key card, or enter a public utility bill account number in order to perform an online transaction.

Put simply, kiosks are computing platforms where the user interface needs to be limited to serve a specific purpose. Whether it is a citizen-facing platform in a government building or a device in a train station, the common theme is that the user is constrained to undertake very specific tasks with that device i.e. buy a train ticket. The device itself might have a full-blown operating system but all the user can see is the app and what they need to do.
Therefore, it is very important for kiosk software platforms to be very easy to deploy and they must provide a very intuitive user experience. It is very much about the interaction the user is undertaking and little beyond that, which means the software must be optimised for user interaction in that context.

But what that means is that security is often a secondary consideration, with many kiosk software providers paying lip service to security, while they focus primarily on ease of use and ease of management. However, today we are seeing cyber-attacks escalating and becoming an everyday occurrence; as adversaries seek out new methods of attack and new threat vectors, so kiosks are becoming more of a target and an attractive platform for cyber adversaries to attack.

Most kiosk software platforms just provide a management layer to configure an endpoint device in that kiosk. If you think about a traditional endpoint device such as a laptop, they are more likely to have a greater set of defence tools deployed, actively managing and monitoring the device, regularly patching and updating it. This is not the same where kiosk platforms are concerned.

So why is this? Often, the business can’t justify having a full-blown operating system and sophisticated defence tools on that platform, especially if they have a large number of kiosks deployed out in the field. They are normally in highly remote or widely geographically dispersed locations, which means there are significant costs involved to go out and fix them.
Likewise, organisations don’t always have the local IT resource in many of these locations to maintain the equipment and its security. Or, if there is a patch management process in place it might not always be timely. For example, if you adopt an Android platform, Google regularly announces the vulnerabilities they have patched.

This means the device manufacturers have to try and create patches for the vulnerabilities that have been announced publically to the cybercriminals. Adversaries know there is a window of opportunity they can exploit because the software author has told them about it. That time delay can be even worse in kiosk ecosystems, where there may be a diverse geographic spread of devices.

Or the kiosk might simply be old. One of the reasons the WannaCry ransomware attack ended up being so widespread, is that there were old computing terminals throughout the NHS, running old operating systems. Any unpatched version of Windows is susceptible, so it can end up being a false economy by attempting to run these legacy systems for too long.
As we continue to exploit and expect technology in every far-flung corner of the world, we need to increasingly think about how we protect these devices in a more robust way.
Thinking of a kiosk as just a terminal that wouldn’t be of interest to a hacker is precisely why they are so attractive to attacks, because they know the security might not be as tight as it should be. Making kiosks more secure could be the difference between you being breached and remaining safe.